SEC573: Python for Penetration Testers

Mon, September 12 - Fri, September 16, 2016

SEC573 is great - I'll be able to apply this content at work right away.

Ben Butz, Anonymous

Highly recommended. SEC573 truly gives you the power to forensicate at scale - or hunt adversaries.

Mark Osborn, SecureWorks

Your target has been well hardened. So far, your every attempt to compromise their network has failed. You did find evidence of vulnerability, a break in their defensive posture. Unfortunately, all of your tools have failed to successfully exploit it. Your employers demand results. You want to model the actions of an advanced adversary and take advantage of that discovered flaw your tools can't seem to address. What do you do when off-the-shelf tools fall short? You write your own tool!

SEC573: Python for Penetration Testers will teach you the skills needed not only to tweak or customize tools, but to even develop your own tools from scratch. The course is designed to meet you at your current skill level and appeal to a wide variety of backgrounds. Whether you have absolutely no coding experience or are a skilled Python developer looking to apply your coding skills to penetration testing, this course has something for you.

You cannot become a world-class tool builder by merely listening to lectures, so this course is chock full of hands-on labs. Every day we will teach you the skills you need to develop serious Python programs and show you how to apply those skills in penetration testing engagements.

The course begins with an introduction to SANS pyWars, which is a four-day Capture the Flag competition that runs parallel to the course material. It will challenge your existing programming skills and help you develop new skills at your own pace. Experienced programmers can quickly progress to more advanced concepts while novice programmers spend time building a strong foundation.

We then cover the essential skills required to get the most out of the Python language. The essentials workshop labs will teach you the concepts and techniques required to develop your own tools. The workshop focuses on essential programming skills and how to apply them in real-world scenarios, but it also shows you shortcuts that will make even experienced developers more deadly. Once everyone understands the essentials, we apply those skills by developing tools to help you in your next penetration test. You will develop a port-scanning, anti-virus-evading, client-infecting backdoor for placement on target systems, as well as a SQL injection tool to extract data from websites that are immune to off-the-shelf tools. You will learn the concepts required to build a multi-threaded password guessing tool and a packet assembling network reconnaissance tool. The course concludes with a capstone one-day Capture the Flag event that complements the pyWars challenge and tests your ability to apply your new tools and coding skills in a penetration testing challenge.

The ability to read, write, and customize software is what distinguishes the good penetration tester from the great one. The best penetration testers can customize existing open-source tools or develop their own tools. Unfortunately, even though organizations serious about security continually emphasize their need for skilled tool builders, many testers do not have these skills. Developing these skills is not beyond your reach. So when you are ready to fully weaponize your penetration testing skillset and build and use your own tools to automate your penetration testing skills, join us for SEC573: Python for Penetration Testers.

In-depth Python...fully weaponized.

You Will Learn:

How to leverage Python Scripting to maximize the effectiveness of your penetration tests.

How to use TCP Sockets to build network applications.

How to develop Web Application attack tools.

How to parse TCP Packets and PCAP data to extract valuable data.

How to use advanced application concepts, such as threading and message queueing.

Course Syllabus

SEC573.1: Essentials Workshop

Overview

The course begins with a brief introduction to Python and the pyWars Capture the Flag challenge. We set the stage for students to learn at their own pace in the 100 percent hands-on pyWars lab environment. While more advanced students take on Python-based Capture the Flag challenges, students who are new to programming will start from the very beginning with Python essentials, including variables, math operators, strings, functions, modules, compound statements, and introspection.

CPE/CMU Credits: 6

SEC573.2: Essentials Workshop

Overview

The second day continues the hands-on and lab-centric approach established on day one. This section covers the essentials of the language, including data structures and programming concepts. With the essentials of the language under your belt, the pyWars challenges and the in-class labs start to cover more complex subjects, such as lists, loops, tuples, dictionaries, the Python Debugger, System Arguments & ArgParser, and file operations.

CPE/CMU Credits: 6

SEC573.3: Pen Testing Applications

Overview

With a core set of skills established, we shift gears on day three. You will begin developing penetration testing tools to use in your next engagement. You will develop a backdoor command shell that evades antivirus software and provides you with that critical initial foothold in the target environment. You will then develop a customizable SQL injection tool that you can use to extract all the data from a vulnerable database when off-the-shelf tools fail. Finally, we will discuss how to speed up your code with multi-threading.

SEC573.4: Pen Testing Applications

Overview

In this section you will develop more tools to make you a more lethal penetration tester. First, you will develop a custom web-based password guesser. This will teach you how to get the most out of Python's web-based libraries and interact with websites using cookies, proxies, and other features in order to attack and exploit the most difficult web-based authentication systems. Then you will write a network reconnaissance tool that will demonstrate the power of Python's third-party libraries.

SEC573.5: Capture the Flag

Overview

The Capture the Flag event on the final day complements the pyWars challenge and tests your ability to apply your new penetration testing tools and coding skills. Working in teams, students apply the skills they have mastered in a series of penetration testing challenges. Participants will exercise the skills and code they have developed over the previous four days as they exploit vulnerable systems, break encryption cyphers, and remotely execute code on target systems. Test your skills! Prove your might!

CPE/CMU Credits: 6

Additional Information

Laptop Required

Students are required to bring their own laptop so that they can connect directly to the workshop network we will create, and thus get the most value out of the course. It is the students' responsibility to make sure that the system is properly configured with all drivers necessary to connect to an Ethernet network.

Some of the course exercises are based on Windows, while others focus on Linux. VMware Player or VMware Workstation is required for the class. If you plan to use a Macintosh, please make sure you bring VMware Fusion, along with a Windows guest virtual machine. All of the VMWare products are available at www.vmware.com.

Windows

You are required to bring Windows 10 (Professional), Windows 8.1 (Professional), Windows 8 (Professional), Windows 7 (Professional, Enterprise, or Ultimate) or Windows Vista (Business, Enterprise, or Ultimate) either on a real system or a virtual machine. You will need administrative access to your Windows computer and the ability to install various software packages, including Python, on that computer.

IMPORTANT NOTE: You may also be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that Administrator password for your anti-virus tool.

The course includes a VMware image file of a guest Linux system that is larger than 10 GB. Therefore, you need a file system with the ability to read and write files that are larger than 10 GB, such as NTFS on a Windows machine.

Enterprise VPN clients may interfere with the network configuration required to participate in the class. If your system has an enterprise VPN client installed, you may need to uninstall it for the exercises in class.

Alternatively, if you want a more flexible and configurable tool, you can download a free 30-day trial copy of VMware Workstation here. VMware will send you a time- limited license number for VMware Workstation if you register for the trial on its website. No license number is required for VMware Player.

We will give you a DVD full of tools to use during the class (which is yours to keep). You will need a DVD drive to read the tools on that DVD for the course. We will also provide a Linux image with all of our tools pre-installed that runs within VMware Player or VMware Workstation.

Linux

You do not need to bring a Linux system if you plan to use our Linux image in VMware. However, you are required to bring VMware Workstation or VMware Player. The class does not support VirtualPC or other non-VMware virtualization products.

Mandatory Laptop Hardware Requirements

x86- or x64-compatible 1.5 GHz CPU minimum or higher.

DVD drive (not a CD drive).

4 GB or higher recommended

Ethernet adapter: A wired connection is required in class. If your laptop supports only wireless, please make sure to bring a USB Ethernet adapter with you.

15 GB available hard drive space.

During the workshop, you will be connecting to one of the most hostile networks on planet earth! Your laptop might be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the class attacks it in the workshop.

By bringing the right equipment and preparing in advance, you can maximize what you will see and learn - and have a lot of fun doing it!

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Who Should Attend

Security professionals who want to learn how to develop Python applications.

Penetration testers who want to move from being a consumer of security tools to being a creator and customizer of security tools.

Technologists who need custom tools to test their infrastructure and want to create those tools themselves.

Prerequisites

A basic understanding of any programming or scripting language is highly recommended but not required for this class.

Other Courses People Have Taken

Other Courses People Have Taken

What You Will Receive

A virtual machine with sample code and working examples.

A copy of Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers, T.J. O'Connor's critically-praised book that shows readers how to forge their own weapons using the Python programming language.

MP3 audio files of the complete course lecture.

You Will Be Able To

Write a backdoor that uses Exception Handling, Sockets, Process execution, and encryption to provide you with your initial foothold in a target environment. The backdoor will include features such as a port scanner to find an open outbound port, techniques for evading antivirus software and network monitoring, and the ability to embed payload from tools such as Metasploit.

Write a SQL injection tool that uses standard Python libraries to interact with target websites. You will be able to use different SQL attack techniques for extracting data from a vulnerable target system.

Develop a password-guessing attack tool with features like multi-threading, cookie handlers, support for application proxies such as Burp, and much more.

Write a network reconnaissance tool that uses SCAPY, StringsIO, and PIL to reassemble TCP packet streams, extract data payloads such as images, display images, extract metadata such as GPS coordinates, and link those images with GPS coordinates to Google maps.

Hands-on Training

File Input and Output

The Backdoor Shell - Write your own backdoor!

SQL Injection Utility - When SQLMAP just won't do the job.

Threading Concepts - When and how to use threading capabilities.

Password Guessing - That customized CAPTCHA cannot stop me

Advanced Network Recon - There is nowhere to hide.

pyWars - An online hacking competition for the first four days of class with challenges for beginner and advanced programmers.

Capture the Flag - Test your ability to apply your new tools and coding skills in a penetration testing challenge.

Press & Reviews

"SEC573 is vital for anyone who considers themselves to be a pen tester." - Jeff Turner, Lexis Nexis Risk Solutions

"So far the content of Python for Penetration Testers has been great. I have learned several things, even as an advanced user." - Matthew Garfinkle, ManTech International Corporation

Author Statement

Good scripting skills are essential to professionals in all aspects of information security. Understanding how to develop your own applications means you can automate tasks and do more, with fewer resources, in less time. As penetration testers, knowing how to use canned information security tools is a basic skill that you must have. But knowing how to build your own tools when the tools someone else wrote fail is what separates the great penetration testers from the good ones. This course is designed for security professionals who want to learn how to apply basic coding skills to do their job more efficiently. The course will help take your career to the next level by teaching you the essential skills needed to develop applications that interact with networks, websites, databases, and file systems. We will cover these essential skills as we build practical applications that you can immediately put into use in your penetration tests.